Commit 228baa80b2063bc2692474e3bbc6eeef887f063e
1 parent
df96c079
Exists in
master
and in
4 other branches
LDAP Authentification with grack for https push - fixed password check
Showing
1 changed file
with
25 additions
and
1 deletions
Show diff stats
lib/gitlab/backend/grack_auth.rb
| 1 | 1 | require_relative 'shell_env' |
| 2 | +require 'omniauth-ldap' | |
| 2 | 3 | |
| 3 | 4 | module Grack |
| 4 | 5 | class Auth < Rack::Auth::Basic |
| ... | ... | @@ -32,8 +33,14 @@ module Grack |
| 32 | 33 | # Authentication with username and password |
| 33 | 34 | login, password = @auth.credentials |
| 34 | 35 | self.user = User.find_by_email(login) || User.find_by_username(login) |
| 35 | - return false unless user.try(:valid_password?, password) | |
| 36 | 36 | |
| 37 | + if user.nil? | |
| 38 | + ldap_auth(login,password) | |
| 39 | + return false unless !user.nil? | |
| 40 | + else | |
| 41 | + return false unless user.valid_password?(password); | |
| 42 | + end | |
| 43 | + | |
| 37 | 44 | Gitlab::ShellEnv.set_env(user) |
| 38 | 45 | end |
| 39 | 46 | |
| ... | ... | @@ -47,6 +54,23 @@ module Grack |
| 47 | 54 | end |
| 48 | 55 | end |
| 49 | 56 | |
| 57 | + def ldap_auth(login, password) | |
| 58 | + # Check user against LDAP backend if user is not authenticated | |
| 59 | + # Only check with valid login and password to prevent anonymous bind results | |
| 60 | + gl = Gitlab.config | |
| 61 | + if gl.ldap.enabled && !login.blank? && !password.blank? | |
| 62 | + ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap) | |
| 63 | + ldap_user = ldap.bind_as( | |
| 64 | + filter: Net::LDAP::Filter.eq(ldap.uid, login), | |
| 65 | + size: 1, | |
| 66 | + password: password | |
| 67 | + ) | |
| 68 | + if ldap_user | |
| 69 | + self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') | |
| 70 | + end | |
| 71 | + end | |
| 72 | + end | |
| 73 | + | |
| 50 | 74 | def validate_get_request |
| 51 | 75 | project.public || can?(user, :download_code, project) |
| 52 | 76 | end | ... | ... |